The New York Department of Financial Services (NYDFS) continues to be a major player in data security enforcement. On Oct. 18, 2022, NYDFS announced that it had entered into a consent order with EyeMed Vision Care LLC (EyeMed) to resolve allegations that EyeMed violated numerous provisions of the NYDFS Cybersecurity Regulation (Cybersecurity Regulation) that contributed to the exposure of non-public sensitive personal health data, including data concerning minors, to cyberattackers. EyeMed agreed to pay a $4.5 million penalty and "agreed to undertake significant remedial measures to better secure its data." NYDFS's settlement with EyeMed came days after the New York Attorney General announced a $1.6 million settlement with Zoetop Business Company, Ltd., for alleged cybersecurity failings affecting millions of customers of online retailers SHEIN and ROMWE (see our discussion of that settlement here).
NYDFS's settlement with EyeMed emphasizes the importance of conducting risk assessments—both specifically to comply with the Cybersecurity Regulation and generally to mitigate cyber risks—and adopting critical email security measures, such as multifactor authentication (MFA), access controls, and data retention and disposal requirements.
Moreover, NYDFS released proposed amendments to the Cybersecurity Regulation yesterday, November 9, 2022. We discussed an earlier version of these amendments in a prior post and will discuss the newly proposed amendments in a forthcoming post. Companies subject to the Cybersecurity Regulation should continue to follow NYDFS enforcement and rulemaking activities in this area.
NYDFS's Cybersecurity Regulation, which became effective in 2017, requires covered entities (those operating under New York's Banking Law, Insurance Law or Financial Services Law, subject to several exceptions) to "maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity's information systems." Covered entities must conduct a risk assessment—a foundational requirement of the Cybersecurity Regulation—and must adopt various safeguards based on the findings of its risk assessment, including MFA, encryption, training, an incident response plain, and vendor oversight.
The Cybersecurity Regulation applies broadly to "nonpublic information," which includes sensitive business information, enumerated categories of personally identifiable information, and information related to an individual's health or healthcare. Covered entities also are required to notify the NYDFS superintendent of "cybersecurity events" within 72 hours and to submit annual certifications of compliance with the Cybersecurity Regulation. The Cybersecurity Regulation has served as a model for several other data security laws and frameworks, including the FTC's revised Safeguards Rule under the Gramm-Leach-Bliley Act (discussed in our blog post and webinar).
NYDFS's Findings against EyeMed
EyeMed is a licensed health insurance provider. According to NYDFS's findings in the consent order, an unauthorized individual gained access to an EyeMed email account from June 24, 2020, to July 1, 2020. Nine EyeMed employees shared login credentials for that email account, which the company used to process and communicate about vision care insurance enrollments.
Through the intrusion, the attacker was able to access and view emails and attachments containing nonpublic personal information dating back six years. According to NYDFS's press release announcing the settlement, the intrusion "contributed to the exposure of hundreds of thousands of consumers' sensitive, non-public, personal health data, including data concerning minors." EyeMed suspected but could not confirm that the attacker gained access to the mailbox through a phishing attack. The mailbox contained over six years' worth of consumer data, including that of minors. However, the mailbox did not have MFA enabled when the attack occurred and was protected with a weak password shared by nine employees, which made it more vulnerable to threat actors.
DFS found that, among other violations, EyeMed failed to:
- Conduct an adequate risk assessment. The consent order refers to risk assessments as "a core component of a robust cybersecurity program." Although EyeMed had conducted third-party "audits of its IT controls and Enterprise Risk Management reviews," NYDFS found that those assessments did not meet the requirements of the Cybersecurity Regulation. Furthermore, none of the assessments addressed the risks posed by storage of nonpublic personal information in the shared mailbox. According to NYDFS, the failure to conduct an adequate risk assessment both violates the Cybersecurity Regulation itself and may result in other violations. For example, had EyeMed assessed the risk of storing sensitive data in the shared email box, it may have adopted MFA and other security controls prior to the attack.
- Implement MFA across its email system. NYDFS has made it clear that in most cases MFA should be implemented to protect email accounts that store nonpublic information. NYDFS issued guidance in December 2021 indicating that MFA should be used to secure both on-premises and cloud-based email systems. EyeMed was in the middle of rolling out MFA for its cloud-based Office 365 email system, but had not yet deployed MFA for the shared email account prior to the attack.
- Limit user access privileges. NYDFS found that EyeMed violated the Cybersecurity Regulation's requirement to limit user access privileges to nonpublic information in the way it shared access to the compromised mailbox. Nine EyeMed employees shared login credentials for access to that mailbox and, presumably to make access to the mailbox easier, the mailbox was protected with only a weak password.
- Shared mailboxes are common targets for phishing attacks, as they tend to have weaker access controls (to facilitate sharing) and typically receive a wide range of content from many different senders—making it harder for users of the mailbox to determine which emails are real and which are phishing.
- Implement sufficient data retention and disposal processes. NYDFS found that the compromised mailbox contained a large amount of nonpublic information, much of which was old and no longer necessary for business purposes. However, EyeMed did not have data minimization or data disposal procedures for the mailbox, giving the attacker access to a considerable amount of sensitive information and causing a violation of the Cybersecurity Regulation's requirement to maintain secure deletion procedures.
- Inadequate data minimization and deletion procedures for email accounts is a major data security issue at many companies. It is common for employees to store large amounts of sensitive information in their email accounts—alongside troves of non-sensitive messages and attachments—and to retain that information indefinitely. When such email accounts are compromised, large data breaches are often the result. Companies should direct employees to handle sensitive information outside of email—for example, by using secure transfer sites to transmit sensitive data and by moving sensitive information to secure document storage systems for long-term storage—and should consider adopting automatic deletion policies for email accounts, to the extent practicable.
As a result of these findings, NYDFS determined that EyeMed submitted improper certifications of compliance with the Cybersecurity Regulation from 2017 through 2020. In addition to paying the $4.5 million fine, EyeMed agreed to implement numerous remedial measures to better secure customer information, including conducting a comprehensive cybersecurity risk assessment and developing a detailed action plan describing how the company will address the risks identified in that assessment.
In New York and elsewhere, regulators are actively enforcing data breach notification and data security laws, resulting in millions of dollars in settlements for alleged violations. Companies must be prepared for regulators' scrutiny of their data security practices, including whether they employ up-to-date and industry-standard technical controls, such as hashing and encryption protocols.
Companies subject to the Cybersecurity Regulation should also be aware that in July 2022 NYDFS released draft amendments to the Cybersecurity Regulation, including requirements that executive management address cybersecurity issues, which we discussed in this blog post.
DWT's Information Security & Breach Response team regularly helps companies of all sizes and sectors navigate compliance with state and federal data breach notification and data security laws. We will continue to monitor enforcement agencies' actions in this area.
 23 C.R.R.-N.Y. § 500.2.
 23 C.R.R.-N.Y. § 500.1.
 23 C.R.R.-N.Y. § 500.17.
 Under the Cybersecurity Regulation, MFA must be used for access to an internal network from an external network (e.g., the Internet) "unless the covered entity's CISO has approved in writing the use of reasonably equivalent or more secure access controls." 23 C.R.R.-N.Y. § 500.12(b). NYDFS takes the position that a cloud-based email account is an "internal network" for the purposes of this requirement and, therefore, generally must be secured with MFA. See, for example, FAQ 18 from NYDFS's FAQs on the Cybersecurity Regulation: https://www.dfs.ny.gov/industry_guidance/cybersecurity.